diff --git a/docs/products/access/api-reference/config-api/identity-provider-api.md b/docs/products/access/api-reference/config-api/identity-provider-api.md
index 88732ed..de270d5 100644
--- a/docs/products/access/api-reference/config-api/identity-provider-api.md
+++ b/docs/products/access/api-reference/config-api/identity-provider-api.md
@@ -1,7 +1,7 @@
# Identity Providers
These APIs allow the retrieval of configuration
-of [identity-providers](../../topics/general-app-config/identity-providers/identity-providers.md) via a REST
+of [identity-providers](../../topics/general-app-config/identity-providers/index.md) via a REST
API.
## Endpoints
@@ -105,32 +105,32 @@ Supported Identity Provider types: `TULIP`, `OAUTH`, `ID_BROKER`
JSON body parameters:
-| Param | Idp type | Required | Description |
-|------------------------------|--------------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| id | all | yes | Unique identifier for an Identity Provider. |
-| name | all | yes | Unique name of an Identity Provider. |
-| type | all | yes | Identity Provider type.
Supported types: `TULIP`, `OAUTH`. |
-| enabled | all | no | Specify whether an Identity Provider is enabled.
Default value: `true`. |
-| default | all | no | Specify whether an Identity Provider is default.
Default value: `false`. |
-| issuer_uri | TULIP | yes | Uri of the issuer. This URI will be used to read the OpenID Connect configuration. |
-| client_id | TULIP, OAUTH | yes | Client identifier. |
-| client_secret | TULIP, OAUTH | depends | Client secret.
Required if client authentication method is `client_secret_basic` or `client_secret_post` |
-| client_authentication_method | TULIP, OAUTH | no | Client authentication method.
Supported values: `private_key_jwt`, `client_secret_basic`, `client_secret_post`.
Default value is `private_key_jwt`. |
-| scopes | TULIP, OAUTH | no | Space-separated scopes. |
-| end_session_enabled | TULIP | no | Specify whether End Session integration is enabled for this Identity Provider.
Default value: `false`. |
-| integrations | TULIP | no | List of enabled integrations.
Supported values: `APP_TO_WEB`, `UDH_API`. |
-| tulip_api_client_id | TULIP | depends | Client identifier for Tulip API calls.
Required when `APP_TO_WEB` or `UDH_API` integration is enabled. |
-| tulip_api_client_secret | TULIP | depends | Client secret for Tulip API calls.
Required when `APP_TO_WEB` or `UDH_API` integration is enabled and authentication method is `client_secret_basic` or `client_secret_post`. |
-| tulip_api_base_url | TULIP | depends | This should be the base url of the Tulip brand without a trailing slash. UDH and App To Web will use this as a base for their urls.
Required when `APP_TO_WEB` or `UDH_API` integration is enabled. |
-| tulip_api_access_scope | TULIP | depends | Space-separated scopes for the required Tulip segments e.g. `iwelcome:segment:example`.
Required when `APP_TO_WEB` or `UDH_API` integration is enabled. |
-| tulip_api_used_auth_methods | TULIP | no | List of Auth Methods for the App to Web integration with Tulip e.g. `["SMS", "another"]`.
Used when `APP_TO_WEB` integration is enabled. |
-| authorization_url | OAUTH | yes | Oauth authorization endpoint. |
-| token_url | OAUTH | yes | Oauth token endpoint. |
-| profile_url | OAUTH | yes | OpenID Connect UserInfo endpoint. |
-| user_info_enabled | OAUTH | no | Specify whether CIM's Person API is enabled for this Identity Provider.
Default value: `false`. |
-| user_info_endpoint | OAUTH | depends | Identity source URL. The URL of API that provides user's identity. Use `{userId}` placeholder for userId path param. e.g. https://host/api/persons/{userId}/profile
Required when `user_info_enabled` is `true`. |
-| user_info_username | OAUTH | depends | Identity source username.
Required when `user_info_enabled` is `true`. |
-| user_info_password | OAUTH | depends | Identity source password.
Required when `user_info_enabled` is `true`. |
+| Param | Idp type | Required | Description |
+|------------------------------|-------------------|----------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| id | all | yes | Unique identifier for an Identity Provider. |
+| name | all | yes | Unique name of an Identity Provider. |
+| type | all | yes | Identity Provider type.
Supported types: `TULIP`, `OAUTH`. |
+| enabled | all | no | Specify whether an Identity Provider is enabled.
Default value: `true`. |
+| default | all | no | Specify whether an Identity Provider is default.
Default value: `false`. |
+| issuer_uri | TULIP, UJO | yes | Uri of the issuer. This URI will be used to read the OpenID Connect configuration. |
+| client_id | TULIP, OAUTH | yes | Client identifier. |
+| client_secret | TULIP, OAUTH | depends | Client secret.
Required if client authentication method is `client_secret_basic` or `client_secret_post` |
+| client_authentication_method | TULIP, OAUTH, UJO | depends | Client authentication method.
Supported values: `private_key_jwt`, `client_secret_basic`, `client_secret_post`.
Default value is `private_key_jwt`. |
+| scopes | TULIP, OAUTH | no | Space-separated scopes. |
+| end_session_enabled | TULIP | no | Specify whether End Session integration is enabled for this Identity Provider.
Default value: `false`. |
+| integrations | TULIP, UJO | depends | List of enabled integrations.
Supported values: `APP_TO_WEB`, `UDH_API`. UJO Identity Provider type requires `UDH_API` to be set. |
+| tulip_api_client_id | TULIP, UJO | depends | Client identifier for Tulip API calls.
Required when `APP_TO_WEB` or `UDH_API` integration is enabled. |
+| tulip_api_client_secret | TULIP, UJO | depends | Client secret for Tulip API calls.
Required when `APP_TO_WEB` or `UDH_API` integration is enabled and authentication method is `client_secret_basic` or `client_secret_post`. |
+| tulip_api_base_url | TULIP, UJO | depends | This should be the base url of the Tulip brand without a trailing slash. UDH and App To Web will use this as a base for their urls.
Required when `APP_TO_WEB` or `UDH_API` integration is enabled. |
+| tulip_api_access_scope | TULIP, UJO | depends | Space-separated scopes for the required Tulip segments e.g. `iwelcome:segment:example`.
Required when `APP_TO_WEB` or `UDH_API` integration is enabled. |
+| tulip_api_used_auth_methods | TULIP | no | List of Auth Methods for the App to Web integration with Tulip e.g. `["SMS", "another"]`.
Used when `APP_TO_WEB` integration is enabled. |
+| authorization_url | OAUTH | yes | Oauth authorization endpoint. |
+| token_url | OAUTH | yes | Oauth token endpoint. |
+| profile_url | OAUTH | yes | OpenID Connect UserInfo endpoint. |
+| user_info_enabled | OAUTH | no | Specify whether CIM's Person API is enabled for this Identity Provider.
Default value: `false`. |
+| user_info_endpoint | OAUTH | depends | Identity source URL. The URL of API that provides user's identity. Use `{userId}` placeholder for userId path param. e.g. https://host/api/persons/{userId}/profile
Required when `user_info_enabled` is `true`. |
+| user_info_username | OAUTH | depends | Identity source username.
Required when `user_info_enabled` is `true`. |
+| user_info_password | OAUTH | depends | Identity source password.
Required when `user_info_enabled` is `true`. |
Example `TULIP` type request:
diff --git a/docs/products/access/appendix/access-events.md b/docs/products/access/appendix/access-events.md
index 1b7eb7e..5717c6d 100644
--- a/docs/products/access/appendix/access-events.md
+++ b/docs/products/access/appendix/access-events.md
@@ -144,6 +144,7 @@
| AUTHN REQUEST LOGIN REQUIRED | The client has requested authentication without user interaction, but the user has no session or the identity provider does not support authentication without user interaction. |
| AUTHN REQUEST INTERACTION REQUIRED | The client has requested authentication without user interaction, and has authorized the application, but needs to be redirected elsewhere before authentication can be completed. |
| AUTHN REQUEST CONSENT REQUIRED | The client has requested authentication without user interaction, but the user has to give consent. |
+| AUTHN REQUEST INVALID ACR VALUES | The configured identity provider returned acr_value other than requested. |
| TOKEN REQUEST INVALID | The access token request is missing one or more required fields. |
| TOKEN REQUEST INVALID REDIRECT URI | The provided redirect uri in the access token request does not match the configured redirect uri for the specified client. |
| TOKEN REQUEST INVALID GRANT | The access grant used to request an access token was expired or revoked. |
@@ -219,6 +220,11 @@
| ONEGINI IDP EXTERNAL IDPS FETCH FAILED | OneWelcome Access was unable to fetch the list of external identity providers that are configured in the [Consumer Identity Manager](https://docs-single-tenant.onegini.com/cim/stable/idp) application. |
| TULIP ACCESS TOKEN REQUEST FAILED | Request to Tulips `token` endpoint for API access token failed. |
| TULIP UDH REQUEST FAILED | Failed to get user data from Tulip's User Data Enhancer endpoint. |
+| IDP UJO JOURNEY INITIALIZATION FAILED | An unexpected error occurred during User Journey Initialization. |
+| IDP UJO INVALID TRANSACTION | Returned transaction identifier mismatches with the local state. |
+| IDP UJO INVALID OR INCOMPLETE USER INFORMATION | The returned user id and/or id store type are missing or invalid. |
+| IDP UJO FAILED TO FETCH JOURNEY RESULT | An unexpected error occurred while resolving the journey result. |
+| IDP UJO FAILED TO USER INFO | An unexpected error occurred while resolving UserInfo. |
| SESSION TERMINATION ALL USER SESSIONS TERMINATED | All user sessions were ended. |
| SESSION TERMINATION USER SESSION TERMINATED | Particular user session was ended. |
diff --git a/docs/products/access/topics/general-app-config/identity-providers/img/add-ujo-idp-page.png b/docs/products/access/topics/general-app-config/identity-providers/img/add-ujo-idp-page.png
new file mode 100644
index 0000000..d295e8b
Binary files /dev/null and b/docs/products/access/topics/general-app-config/identity-providers/img/add-ujo-idp-page.png differ
diff --git a/docs/products/access/topics/general-app-config/identity-providers/index.md b/docs/products/access/topics/general-app-config/identity-providers/index.md
new file mode 100644
index 0000000..6a410a5
--- /dev/null
+++ b/docs/products/access/topics/general-app-config/identity-providers/index.md
@@ -0,0 +1,7 @@
+# Identity Providers
+
+User management is not present in OneWelcome Access. Instead, Access relies on external identity provider (IdP) integrations to
+identify a user. It offers built-in support for various identity providers and also allows for the custom integrations.
+
+* [Identity Providers configuration](identity-providers.md)
+* [UJO Identity Provider configuration](ujo-integration.md)
\ No newline at end of file
diff --git a/docs/products/access/topics/general-app-config/identity-providers/ujo-integration.md b/docs/products/access/topics/general-app-config/identity-providers/ujo-integration.md
new file mode 100644
index 0000000..a0a3d19
--- /dev/null
+++ b/docs/products/access/topics/general-app-config/identity-providers/ujo-integration.md
@@ -0,0 +1,30 @@
+# UJO Integration
+
+"UJO" stands for User Journey Orchestration and, as such, represents an Access capability that enables external Relying Parties (RPs) to
+authenticate their users in a customizable and extendable way. When integration is configured and enabled, Access will feed UJO with
+contextual information about the state of an active session, as well as all other information that can be derived from the original request
+sent by the RP. Based on the presented information and the capabilities configured for a given tenant, UJO decides how the authentication
+process should be handled (i.e., which authentication process to execute).
+
+## Configuring UJO integration
+
+To configure UJO integration, navigate to the `Configuration` tab of the administration console and click the `Identity Providers`tab.
+On the overview that is shown, you can select the `Add Identity Provider` option.
+
+
+
+Fill all the mandatory fields.
+
+| Field | Required | Example value | Details |
+|---------------------------|----------|-----------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Type | yes | User Journey Orchestration | The integration type, for UJO must be set to `User Journey Orchestration`. |
+| Name | yes | UJO | Display name of this UJO Identity Provider instance. This is only used for informational purposes in the Admin console and APIs. |
+| Identifier | yes | ujo | Unique identifier of this UJO Identity Provider. |
+| Enabled | no | | Indicates whether the Identity Provider integration being configured is enabled (can be references by Web and Mobile Clients). |
+| Default | no | | Indicates whether the Identity Provider integration being configured is default - will be used by all Web and Mobile Clients that don't specify a specific Identity Provider. |
+| OpenID Connect Issuer Uri | yes | https://insurgroup-edge.onewelcome.io/insurcar/auth/oauth2.0/v1 | OIDC Issuer URI of Tulip instance that is meant to serve as a User Store for this UJO integration. |
+| Authentication method | yes | Private key JWT | Client authentication scheme that will be used by Access when communicating with Tulip and UDH APIs. |
+| Integrations | yes | User Data Enhancer API | UJO integration requires UDH, a primary data source for the user. |
+| API Client ID | yes | udh-client | The OAuth client identifier that will be used to obtain an AccessToken for the UDH communication. |
+| API Base Uri | yes | https://insurgroup-edge.onewelcome.io/insurcar | The Tulip's base URL including segment path element. |
+| API Access scope | yes | iwelcome:segment:intergroup | OAuth scope required by the UDH integration. |
diff --git a/docs/products/access/topics/general-app-config/index.md b/docs/products/access/topics/general-app-config/index.md
index aa3eaad..1a6133f 100644
--- a/docs/products/access/topics/general-app-config/index.md
+++ b/docs/products/access/topics/general-app-config/index.md
@@ -5,6 +5,6 @@ mobile as web applications using OneWelcome Access.
* [PIN policy configuration](pin-policy/pin-policy.md)
* [Scopes configuration](scopes/scopes.md)
-* [Identity provider configuration](identity-providers/identity-providers.md)
+* [Identity provider configuration](identity-providers/index.md)
* [Resource gateway configuration](resource-gateway/resource-gateway.md)
* [OS version management](os-version-configuration/os-version-configuration.md)
\ No newline at end of file
diff --git a/mkdocs.yml b/mkdocs.yml
index f653481..a29101f 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -58,7 +58,10 @@ nav:
- 'Introduction': products/access/topics/general-app-config/index.md
- 'PIN policy configuration': products/access/topics/general-app-config/pin-policy/pin-policy.md
- 'Scopes configuration': products/access/topics/general-app-config/scopes/scopes.md
- - 'Identity provider configuration': products/access/topics/general-app-config/identity-providers/identity-providers.md
+ - 'Identity Providers':
+ - 'Introduction': products/access/topics/general-app-config/identity-providers/index.md
+ - 'Identity provider configuration': products/access/topics/general-app-config/identity-providers/identity-providers.md
+ - 'UJO Identity Provider configuration': products/access/topics/general-app-config/identity-providers/ujo-integration.md
- 'Resource gateway configuration': products/access/topics/general-app-config/resource-gateway/resource-gateway.md
- 'OS version management': products/access/topics/general-app-config/os-version-configuration/os-version-configuration.md
- 'Mobile applications':